Back to skill
Skillv1.0.2
ClawScan security
Dpdp Checklist Gen · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 3:10 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are coherent with its stated purpose (calling a vendor API to produce a DPDP checklist), but it always sends user-supplied organizational data to an external service — review that before use.
- Guidance
- This skill is coherent: it simply proxies inputs to ToolWeb's DPDP API and returns the vendor's output. Before installing, confirm you trust portal.toolweb.in and its privacy/billing terms. Do not include secrets or unnecessary PII in requests (use redacted/test data first). Store TOOLWEB_API_KEY securely and restrict which agents can call this skill if you want to avoid automatic exfiltration of organizational data. If you need offline answers or must not send certain data externally, do not use this skill or ask the agent to generate assessments locally instead of calling the API.
Review Dimensions
- Purpose & Capability
- okName/description align with the declared requirements: the skill is an API-backed DPDP checklist generator and explicitly requires TOOLWEB_API_KEY and curl to call portal.toolweb.in.
- Instruction Scope
- noteSKILL.md mandates always calling the external ToolWeb API and explicitly instructs the agent NOT to answer from its own knowledge. The instructions only collect user-supplied org and processing details (expected), but they will transmit that data to https://portal.toolweb.in — no fallback processing is allowed locally. This increases data exposure risk (sensitive org/processing details/PII could be sent).
- Install Mechanism
- okInstruction-only skill with no install spec or code files. No files are downloaded or executed on install, minimizing local persistence risk.
- Credentials
- okThe only required environment variable is TOOLWEB_API_KEY (declared as primaryEnv) which is consistent with the API call in SKILL.md. No unrelated credentials or config paths are requested.
- Persistence & Privilege
- notealways is false and there is no install-time persistence. The skill can be invoked autonomously (platform default); combined with the mandatory external API calls this means an agent with autonomous invocation could send data to the vendor without further prompts — consider whether you want that behavior.